[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] decryption failure in duplicity replicate

From: edgar . soldin
Subject: Re: [Duplicity-talk] decryption failure in duplicity replicate
Date: Mon, 23 Aug 2021 13:40:00 +0200
User-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Thunderbird/68.12.1

hey Peter,

On 23.08.2021 07:47, zga9uhnq4g--- via Duplicity-talk wrote:
> Thanks for the hints Ken.  I did find lots of info talking about changes 
> between gpg1 and gpg2, and when I "duplicity" to the search term, I found a 
> bunch of duplicity-specific stuff basically saying the same thing, including 
> https://askubuntu.com/questions/1057627/duplicity-fails-with-bad-session-key-error
>  with an answer from Edgar.  I followed the links he mentioned, and tried the 
> workarounds described in 
> https://superuser.com/questions/984977/duplicity-restore-failing-no-secret-key,
>  but they didn't help, so either I didn't do them correctly or my problem is 
> different.
> I'm skeptical that it could be a gpg1 versus gpg2 issue, since I started 
> using duplicity 2020-12-12 and based on /var/log/apt/history.log, I had the 
> gnupg and gpg* packages at version 2.2.20-1.  Later, on 2021-06-25, I 
> upgraded these packages to version 2.2.27-2, but AFACT I never used a version 
> earlier than 2.2.20.

the solution, issue/workaround described is an upgrade from gpg 2.0 to 2.1+ . 
but the error actually just says "wrong or no password given"

my guess is that you managed to modify the password used to gpg encrypt your 
backup between chains.

what is the exact error when trying to restore your backup from 12.Dec.2020 ?

> I did some further testing using both "duplicity verify" and "duplicity 
> restore" for the "latest" backup which succeed, and then using "--time 
> 2020-12-12" to access my first backup which failed with the "Bad session key" 
> error from gpg.  I then used --time to try verify/restore backups from 
> 2021-08-01, 2021-07-01, 2021-06-01, etc., then narrowed failure down to a 
> single day.  It appears that I can verify/restore all backups after 
> 2021-02-10, but verify/restore fail for the backups on or before 2021-02-09.  
> I just figured out that I added "--full-if-older-than 1M" to the duplicity 
> backup command in my backup script on 2021-02-08, so it took effect on the 
> backup on 2021-02-09. so "duplicity collection status" shows
>     Last full backup date: Wed Aug 11 02:01:44 2021
>     Collection Status
>     -----------------
>     Connecting with backend: BackendWrapper
>     Archive dir: /root/.cache/duplicity/770219317cf70c5a3236e3cb0d9a212c
>     Found 7 secondary backup chains.
>     Secondary chain 1 of 7:
>     -------------------------
>     Chain start time: Sat Dec 12 12:42:09 2020
>     Chain end time: Mon Feb  8 03:31:07 2021
>     Number of contained backup sets: 57
>     Total number of contained volumes: 58
>      Type of backup set:                            Time:      Num volumes:
>                     Full         Sat Dec 12 12:42:09 2020                 2
>              Incremental         Mon Dec 14 03:30:55 2020                 1
>                       ...
>              Incremental         Sun Feb  7 03:30:51 2021                 1
>              Incremental         Mon Feb  8 03:31:07 2021                 1
>     -------------------------
>     Secondary chain 2 of 7:
>     -------------------------
>     Chain start time: Tue Feb  9 03:31:06 2021
>     Chain end time: Wed Mar 10 03:31:24 2021
>     Number of contained backup sets: 30
>     Total number of contained volumes: 31
>      Type of backup set:                            Time:      Num volumes:
>                     Full         Tue Feb  9 03:31:06 2021                 2
>              Incremental         Wed Feb 10 03:31:06 2021                 1
>     ...
> Since, as you can see my backups run at 3:30, specifying "--time 2021-02-09" 
> (as I did in the testing I described above) is actually accessing the backup 
> set  from 2021-02-08, so my guess is that any access to the first backup 
> chain (Secondary chain 1 of 7)  is producing the "Bad session key" error from 
> gpg.

sounds reasonable

> So now my real question is, is there any way to replicate my backup, but skip 
> secondary chain 1 of 7.  The man page says "When /--time/ time is given, only 
> backup sets older than time will be replicated", which seems like the 
> opposite of what I need.  Is my only option to run "duplicity 
> remove-older-than 2021-02-09" and then do the replicate?

i am not really sure why replicate as functionality was added to duplicity, 
especially that way (recompressing,reencrypting), but what you can easily do is 
just move/copy the files on the backup repo to another backend and change the 
target for duplicity (use e.g. rclone).

the backup files are named pretty conclusively, so sorting them by name should 
allow you to identify chains/backups. when you did that you can e.g. simply 
move the "broken" chain into another folder, out of the way and replicate 
should magically work. but again, no need to replicate at all if you want to 
keep encraption/compression as is. simply copy the files and run a verify 
against the new backup repo after and you are all set!

> I would also still be interested in any suggestions for how I can make the 
> backups from 2021-02-09 and before accessible again.

as asked above.  what's the exact error? if it is still "gpg: decryption 
failed: Bad session key" then you could try to find out if it's a duplicity bug 
or gpg issue (wrong passphrase, passphrase not routed to process) by fetching a 
gpg volume from the offending chain and simply trying to decrypt manually via 
gpg to /tmp or such just to pinpoint the issue. see 

good luck.. ede/duply.net

reply via email to

[Prev in Thread] Current Thread [Next in Thread]